8c9de6f89be0268a42a7365b6db0098a93e7cf4cda63bc79cda5132a09123180

General

Target

45dce586847b9a88a5e803b5c7d1f5f3.exe
Size

385KB
MD5

45dce586847b9a88a5e803b5c7d1f5f3
SHA1

b2af12ec5f7a6c9404c96ee1be174b4fa76c935c
SHA256

8c9de6f89be0268a42a7365b6db0098a93e7cf4cda63bc79cda5132a09123180
SHA512

6893a39aff7bf36592878e152b0b1ff3dd368bd693de8b923327d88e9762b5325e0a69e2299a73655d368e089673d8733307682dcc60af3d3883f6812e7f8d62
SSDEEP

6144:0UhUKqlRScjcgBcjYcyS6cyexjXV1zbpILk8fOShrTANibhYqB:R1icFyS6crjFThSh/NLB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1168	45dce586847b9a88a5e803b5c7d1f5f3.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	45dce586847b9a88a5e803b5c7d1f5f3.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	45dce586847b9a88a5e803b5c7d1f5f3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	45dce586847b9a88a5e803b5c7d1f5f3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	45dce586847b9a88a5e803b5c7d1f5f3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	45dce586847b9a88a5e803b5c7d1f5f3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2668	45dce586847b9a88a5e803b5c7d1f5f3.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2668	45dce586847b9a88a5e803b5c7d1f5f3.exe
1168	45dce586847b9a88a5e803b5c7d1f5f3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1168	2668	45dce586847b9a88a5e803b5c7d1f5f3.exe	28
PID 2668 wrote to memory of 1168	2668	45dce586847b9a88a5e803b5c7d1f5f3.exe	28
PID 2668 wrote to memory of 1168	2668	45dce586847b9a88a5e803b5c7d1f5f3.exe	28
PID 2668 wrote to memory of 1168	2668	45dce586847b9a88a5e803b5c7d1f5f3.exe	28

C:\Users\Admin\AppData\Local\Temp\45dce586847b9a88a5e803b5c7d1f5f3.exe
"C:\Users\Admin\AppData\Local\Temp\45dce586847b9a88a5e803b5c7d1f5f3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\45dce586847b9a88a5e803b5c7d1f5f3.exe
  C:\Users\Admin\AppData\Local\Temp\45dce586847b9a88a5e803b5c7d1f5f3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45dce586847b9a88a5e803b5c7d1f5f3.exe

Filesize
206KB

MD5
5ade2d81d65691ea7faa5f14bf698e3e

SHA1
d8d0308bb80e32445af3a01ff735c13b18cd2221

SHA256
81b5bb1422ba92afae89db97456f59023769672d599bca381d071aa149d4565e

SHA512
b953833c9ffb340a0e2e98b2cf7ead2141f5cb90d286426b954b05bb238e39f9d06e9eaa2518548df40c9e5471257f8529041c4fb7ea1ada5f0c56d898b0d554

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab45C9.tmp

Filesize
38KB

MD5
4ccf0d564bafda60be7190b7b3701bda

SHA1
97bc56c7664d28191ea1c69c48fd1ab5f0afc395

SHA256
e138dad4f29540b215d28cb7306346c21a5b8239917b2b7e312f1750996b3c04

SHA512
d99d540781dba735bb49045f0ef46e6f30244be52d8ea40e652a929aae460098ff75db3c89e6daaf9a20e8e3378b0436851c76fce0a9d0b8cb2fd5720a44e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45FB.tmp

Filesize
64KB

MD5
69b8e2fe3bb7142b759bbc3bd3092cc2

SHA1
c55b032e44415d77a1a2f3f6c6c049b7cc32afd7

SHA256
d31cf766104ab57466eca8c74b0b1dc3f7729270b60df98dde747087ec3e8bb4

SHA512
c3b3ca6861a0e35822f0c5b6085f7fc1444b051548aec4362723d1b7a14b72cd832335ca29eea23ce8f9fb71f4ac76c6bf2b58a220722e7843461bf095970b7b

Download Submit
\Users\Admin\AppData\Local\Temp\45dce586847b9a88a5e803b5c7d1f5f3.exe

Filesize
255KB

MD5
8522c125ca654401f8a6cea51b66a6b1

SHA1
99ceb966e3694a4c38a7b63905bf4c54058709f2

SHA256
992bcc670f0a26445cf64d15aeebed47521ae8bc68df6f6442ad25deb601464d

SHA512
48427cca801a0263e94b0417fa417638b53cd5cf4f4160bbcd8a0d7f7fdc9a93640e1f1aaa7884d479c02213b32fee1a9712cec7d09766d8182e4a60644e37ed

Download Submit
memory/1168-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1168-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-24-0x0000000000240000-0x000000000029F000-memory.dmp

Filesize
380KB

Download
memory/1168-16-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/1168-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1168-82-0x000000000EA00000-0x000000000EA3C000-memory.dmp

Filesize
240KB

Download
memory/1168-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2668-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2668-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2668-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2668-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing